News and updates about Information Technology at Harvey Mudd College

Main menu

Post navigation

Data Privacy Month (with a painful story about a phone)

Data Privacy Month continues, and this week I have a story that is told to all young system administrators. It’s about what happened when a phone was lost. Read it, weep… and then go make your phone secure.

Junior system administrators go through many rites of passage. One of them is when, early in their training, they get to spend a whole night in the data center. This is a way of preparing them for those all night system upgrades, when they have to perform at their peak at a time when they are normally asleep. This story is often told during that special training night.

A good data center is cold. You should picture the junior sys admins huddled in their parkas around the back of a server, hoping to get some heat from the exhaust. Some of them are nodding off. The hoary senior system admin, noting this, decides it is time to tell the phone story, and fill it with detail, to spark their interest. System admins are by nature fascinated with details, good at reading and, as a bonus, following, meticulously detailed instructions. And so the hoary one begins…

“Once upon a time, in a far away College, there was a senior member of the administration, let’s call him VP Terry. VP Terry had lots of responsibilities and was always on the move. He had a very expensive and very sophisticated smart phone to help with his work. He used it all the time, for emails, for calendar, for reading documents and even for accessing many of the College databases.”

“VP Terry, just like Marissa Mayer, didn’t have a pin, or any other security, on his phone. It saved him (and her) time every day”.

The hoary senior sys admin paused for effect and noted with satisfaction that the eyes of her audience had grown large. This bunch would be security conscious!

“And then, one dark day, it happened. VP Terry mislaid his phone. Possibly at the airport. He didn’t notice it was gone until the end of the 11 hour flight and by then he could not contact the IT folk at his College to see what they could do. Truth be told, he didn’t even think to do that”. The eyes got wider.

“Someone sent messages from the phone and it was not returned. So do you know what happened? Are you ready? Here’s the detail:

The cell phone contained a direct link to the college’s database, where confidential information on 40,000 students was stored. The College was obliged by law to notify each and every one of them. Direct cost: $150,000. Indirect reputation cost: ???

The cell phone provided unauthorized access to educational records (grades were accessible from the phone). Student’s privacy rights were so compromised that it warranted a self-report to the Family Policy Compliance Office (FPCO) of the Department of Education, placing future funding for the College at risk.

A document containing a job offer was viewable on the phone and ended up on the internet. The candidate turned the College down and was gravely embarrassed at her home institution.

VP Terry’s personal credit card information was compromised.

He lost all the photos of his family vacations, since he was no better at backups than he was at security.”

As she listed these details, the hoary sys admin’s voice reached a crescendo. The junior sys admins were now fully awake and several pulled out their smart phones, sheepishly looking for the settings…

Thanks for reading. Please have a look at this Intel site on mobile security: